deny
Deny files and extensions for security is now available in conf file.
This commit is contained in:
Cristhian Martínez Ochoa
parent
dbf755d98b
commit
467475b1f7
8 changed files with 76 additions and 24 deletions
16
lib/general
16
lib/general
|
|
@ -1359,6 +1359,22 @@ check_var() {
|
|||
local out="false"
|
||||
fi
|
||||
|
||||
# Locations: Deny Extensions
|
||||
elif [[ $1 == "locations-deny-extensions" ]]; then
|
||||
if [[ -z $(conf_read locations-deny-extensions) ]]; then
|
||||
local out="old|orig|original|php#|php~|php_bak|save|swo|asp|aspx|tpl|sh|bash|ba|bak|cfg|cgi|dll|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|rdf|pem|ppk|asc|conf|dump|exe|msi|tar|gz|zip|bz2|7z"
|
||||
else
|
||||
local out=$(conf_read locations-deny-extensions)
|
||||
fi
|
||||
|
||||
# Locations: Deny Files
|
||||
elif [[ $1 == "locations-deny-files" ]]; then
|
||||
if [[ -z $(conf_read locations-deny-files) ]]; then
|
||||
local out="readme|license|example|legalnotice|installation|changelog|wp-config"
|
||||
else
|
||||
local out=$(conf_read locations-deny-files)
|
||||
fi
|
||||
|
||||
# FastCGI Cache: Exclude URL
|
||||
elif [[ $1 == "wpcache-exclude-url" ]]; then
|
||||
if [[ -z $(conf_read wpcache-exclude-url) ]]; then
|
||||
|
|
|
|||
|
|
@ -299,6 +299,10 @@ nginx_optim() {
|
|||
sudo sed -i "/worker_rlimit_nofile /c \worker_rlimit_nofile $fd_per_process;" /etc/nginx/nginx.conf
|
||||
sudo sed -i "/open_file_cache max /c \ open_file_cache max=$(($fd_per_process/3)) inactive=5m;" /etc/nginx/nginx.conf
|
||||
|
||||
# Locations
|
||||
sudo sed -i "s&<locations-deny-extensions>&$(check_var locations-deny-extensions)&" /etc/nginx/common/locations.conf
|
||||
sudo sed -i "s#<locations-deny-files>#$(check_var locations-deny-files)#" /etc/nginx/common/locations.conf
|
||||
|
||||
# WP Cache
|
||||
[[ $(check_var wpcache-query-strings) == "all" ]] && sudo sed -i '/# URL with a query string should always go to php/,/\} #End/{/.*/d}' /etc/nginx/common/wpfc.conf
|
||||
sudo sed -i "s#<wpcache-exclude-url>#$(check_var wpcache-exclude-url)#" /etc/nginx/common/wpfc.conf
|
||||
|
|
|
|||
|
|
@ -52,6 +52,16 @@
|
|||
#swap-mem:1
|
||||
|
||||
|
||||
# IAM Role (AWS Credentials)
|
||||
# Values: boolean (true/false)
|
||||
# Default: false
|
||||
# Note: (server-reset not needed)
|
||||
# Note: Set to 'true' if your EC2 instance has an IAM Role attached with full access to S3
|
||||
# Same as: sudo webinoly -aws-s3-credentials=awsiamrole
|
||||
###########################
|
||||
#awsiamrole:false
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
@ -163,14 +173,16 @@
|
|||
#blockip:1.1.1.1,2.2.2.2
|
||||
|
||||
|
||||
# IAM Role (AWS Credentials)
|
||||
# Values: boolean (true/false)
|
||||
# Default: false
|
||||
# Note: (server-reset not needed)
|
||||
# Note: Set to 'true' if your EC2 instance has an IAM Role attached with full access to S3
|
||||
# Same as: sudo webinoly -aws-s3-credentials=awsiamrole
|
||||
# Block/Deny files and extensions
|
||||
# Values: <filename>|<filename>... (files txt|html|htm|md)
|
||||
# Values: <ext>|<ext>... (extensions)
|
||||
# Note: This is a security feature, please don't modify unless you are sure about it.
|
||||
# Note: For example, any request to 'readme.txt' or 'name.log' will be blocked (case insensitive).
|
||||
# Note: To revert any changes and set the original Webinoly defaults, just #comment these two variables and then server-reset.
|
||||
# Note: You can remove some extensions like 'exe' if you are distributing installers, for instance, or you can add any of your preference.
|
||||
###########################
|
||||
#awsiamrole:false
|
||||
#locations-deny-files:readme|license|example|legalnotice|installation|changelog|wp-config
|
||||
#locations-deny-extensions:old|orig|original|php#|php~|php_bak|save|swo|asp|aspx|tpl|sh|bash|ba|bak|cfg|cgi|dll|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|rdf|pem|ppk|asc|conf|dump|exe|msi|tar|gz|zip|bz2|7z
|
||||
|
||||
|
||||
# FastCGI Cache
|
||||
|
|
|
|||
|
|
@ -9,7 +9,22 @@
|
|||
include common/headers-http.conf;
|
||||
include common/headers-html.conf;
|
||||
|
||||
# Cache static files
|
||||
# CORS and Cache for static files
|
||||
##################################
|
||||
|
||||
# CORS only needed for:
|
||||
# - Invocations of the XMLHttpRequest or Fetch APIs, as discussed above. (preflight mode may be needed, not included here)
|
||||
# - Web Fonts (for cross-domain font usage in @font-face within CSS), so that servers can deploy TrueType fonts that can only be loaded cross-origin and used by web sites that are permitted to do so.
|
||||
# - WebGL textures.
|
||||
# - Images/video frames drawn to a canvas using drawImage().
|
||||
# - CSS Shapes from images.
|
||||
# Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
|
||||
|
||||
# That means that most of the times is only used by fonts. (Simple request mode with wildcard is enough)
|
||||
|
||||
# NOTE: We have this location here (not in locations.conf) to add the HSTS header when needed in static files.
|
||||
# Add the Strict-Transport-Security header to all HTTPS responses. https://hstspreload.org/#deployment-recommendations
|
||||
|
||||
location ~* \.(css|xml|gif|jpeg|jpg|js|atom|rss|mml|txt|jad|wml|htc|avif|png|svg|svgz|tif|tiff|wbmp|webp|ico|jng|bmp|woff|woff2|jar|war|ear|json|hqx|doc|pdf|ps|eps|ai|rtf|m3u8|kml|kmz|xls|eot|ppt|odg|odp|ods|odt|pptx|xlsx|docx|wmlc|wasm|7z|cco|jardiff|jnlp|run|pl|pm|prc|pdb|rar|rpm|sea|swf|sit|tcl|tk|der|pem|crt|xpi|xhtml|xspf|zip|bin|exe|dll|deb|dmg|iso|img|msi|msp|msm|mid|midi|kar|mp3|ogg|m4a|ra|3gpp|3gp|ts|mp4|mpeg|mpg|mov|webm|flv|m4v|mng|asx|asf|wmv|avi|ogv|otf|ttf|tgz|gz|bz2|tar|wav|cur|heic|aac|webmanifest|cast)$ {
|
||||
include common/headers-http.conf;
|
||||
add_header "Access-Control-Allow-Origin" "*";
|
||||
|
|
|
|||
|
|
@ -10,7 +10,22 @@ include common/headers-http.conf;
|
|||
include common/headers-html.conf;
|
||||
include common/headers-https.conf;
|
||||
|
||||
# Cache static files
|
||||
# CORS and Cache for static files
|
||||
##################################
|
||||
|
||||
# CORS only needed for:
|
||||
# - Invocations of the XMLHttpRequest or Fetch APIs, as discussed above. (preflight mode may be needed, not included here)
|
||||
# - Web Fonts (for cross-domain font usage in @font-face within CSS), so that servers can deploy TrueType fonts that can only be loaded cross-origin and used by web sites that are permitted to do so.
|
||||
# - WebGL textures.
|
||||
# - Images/video frames drawn to a canvas using drawImage().
|
||||
# - CSS Shapes from images.
|
||||
# Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
|
||||
|
||||
# That means that most of the times is only used by fonts. (Simple request mode with wildcard is enough)
|
||||
|
||||
# NOTE: We have this location here (not in locations.conf) to add the HSTS header when needed in static files.
|
||||
# Add the Strict-Transport-Security header to all HTTPS responses. https://hstspreload.org/#deployment-recommendations
|
||||
|
||||
location ~* \.(css|xml|gif|jpeg|jpg|js|atom|rss|mml|txt|jad|wml|htc|avif|png|svg|svgz|tif|tiff|wbmp|webp|ico|jng|bmp|woff|woff2|jar|war|ear|json|hqx|doc|pdf|ps|eps|ai|rtf|m3u8|kml|kmz|xls|eot|ppt|odg|odp|ods|odt|pptx|xlsx|docx|wmlc|wasm|7z|cco|jardiff|jnlp|run|pl|pm|prc|pdb|rar|rpm|sea|swf|sit|tcl|tk|der|pem|crt|xpi|xhtml|xspf|zip|bin|exe|dll|deb|dmg|iso|img|msi|msp|msm|mid|midi|kar|mp3|ogg|m4a|ra|3gpp|3gp|ts|mp4|mpeg|mpg|mov|webm|flv|m4v|mng|asx|asf|wmv|avi|ogv|otf|ttf|tgz|gz|bz2|tar|wav|cur|heic|aac|webmanifest|cast)$ {
|
||||
include common/headers-http.conf;
|
||||
include common/headers-https.conf;
|
||||
|
|
|
|||
|
|
@ -15,9 +15,9 @@ location ~* ^/robots.txt$ {
|
|||
|
||||
|
||||
# Security settings for better privacy
|
||||
#######################################
|
||||
|
||||
# Deny hidden files except the "well-known" folder
|
||||
# We have decided not to include Google (Chrome) Private Prefetch Proxy (/.well-known/traffic-advice)
|
||||
# Deny hidden (dot) files except the "well-known" folder
|
||||
location ~* /.well-known.*/$ {autoindex off;}
|
||||
location ~* ^\/\.(?!(well-known/)).*$ {
|
||||
deny all;
|
||||
|
|
@ -25,14 +25,14 @@ location ~* ^\/\.(?!(well-known/)).*$ {
|
|||
log_not_found off;
|
||||
}
|
||||
|
||||
# Deny backup extensions & log files
|
||||
location ~* ^.+\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$ {
|
||||
# Deny/Block some extensions
|
||||
location ~* ^.+\.(<locations-deny-extensions>)$ {
|
||||
deny all;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
|
||||
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
|
||||
location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
|
||||
location ~* "/(<locations-deny-files>)\.(txt|html|htm|md)" {
|
||||
return 403;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,11 +29,6 @@ location = /wp-login.php {
|
|||
fastcgi_pass php;
|
||||
}
|
||||
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
}
|
||||
|
||||
# Disallow php in upload folder
|
||||
location /wp-content/uploads/ {
|
||||
location ~* \.php$ {
|
||||
|
|
|
|||
|
|
@ -31,11 +31,6 @@ location = /wp-login.php {
|
|||
fastcgi_pass php;
|
||||
}
|
||||
|
||||
# Disable wp-config.txt
|
||||
location = /wp-config.txt {
|
||||
deny all;
|
||||
}
|
||||
|
||||
# Disallow php in upload folder
|
||||
location /wp-content/uploads/ {
|
||||
location ~* \.php$ {
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue